John FerrellinHuntressHiding In Plain SightHiding a malicious payload in a file meant to look like a log.4 min read·Jun 18, 2020----
John FerrellinHuntressThreatOps Analysis: Keyed MalwareAttackers will sometimes “key” the malware for a particular host or user, meaning the malware will only run on the targeted host…3 min read·Mar 18, 2020----
John FerrellinHuntressHuntress Development Notes: Updating the UpdaterIf you’ve ever taken a look inside the Huntress Agent directory you may have noticed the file wyUpdate.exe . This executable is wyUpdate…3 min read·Oct 3, 2019----
John FerrellinHuntressDeep Dive: A LNK in the ChainThe Huntress ThreatOps team sees all sorts of clever tricks attackers use to launch PowerShell.4 min read·May 30, 2019----
John FerrellScheduled Task command with space “hides” the file from AutorunsTL;DR; Creating a scheduled task with a space in the file path will “hide” the executable from Autoruns. The file path is split on the…3 min read·May 3, 2019----
John FerrellinHuntressDeep Dive: Windows Administrative SharesThe Huntress ThreatOps team continues to see new Emotet and Trickbotmalware outbreaks on our partner’s managed networks. These malware…3 min read·Feb 7, 2019----
John FerrellinHuntressDeep Dive: Examining A Powershell PayloadWe continue to see more and more malware that is “Living Off The Land”. In other words, it uses built-in tools and features of the…4 min read·Oct 11, 2018----
John FerrellinHuntressDeep Dive: .NET Malware — Peeling Back the LayersCyber attackers constantly develop creative ways to obfuscate their code to conceal the presence (and purpose) of their malware. In this…4 min read·Jun 6, 2018----
John FerrellinHuntressDeep Dive: Investigating a Foothold & Uncovering the PayloadRecently, we flagged a User Run Key value with the name “xmNusBQH4865”, which in and of itself was suspicious. The command executed was…4 min read·Oct 17, 2017----
John FerrellinHuntressAbusing Trusted Applications with Nested ExecutionRecently, my co-founders gave a talk at DerbyCon 7.0 on evading common persistence enumeration tools. Evasion using trusted applications…3 min read·Oct 3, 2017----